Treading a tightrope?

European businesses consider that successful control of IT risk is important for their organisations – indeed over half of those surveyed described it as ‘vital’. Yet 40% have no dedicated IT security manager or director, suggesting that they may be taking a significant gamble with their company’s future.

Some respondents also made valuable further comments on the importance of IT risk management in companies like their own.

- IT risk management needs to include the ‘softer’ side as well – staff are working longer, so access to email is more important; there are new technologies such as VOIP that people use to communicate. Rather than just having a blanket ‘no’ on these technologies, IT needs to ensure that the IT systems both support the business and are a ‘benefit’ to staff.

- We have an obligation to guarantee a supply to our customers. Much of our supply network operations rely on IT controls and therefore the risks are necessarily managed with regard to the relative importance.

- Managing risk for IT should be seen as a critical risk that could undermine the achievement of the corporate objectives as detailed in the corporate plan.

- It is increasingly complex with diffuse corporate boundaries and increased importance of systems – performance, capacity, availability and security.

- As we continue to rely more and more on IT-based delivery of our product, the ability to manage these IT risks needs to be effectively evaluated.

- It’s core to the business... it’s no longer something you can do if you have time.

- Like many firms, our firm ‘dies’ in the event of prolonged IT downtime.

Nearly two-thirds (65%) of respondents said that they had undertaken a risk management assessment of their IT risks in the past two years. A further 16% said that this function was left to the IT security director/manager or outsourced to a specialised contractor. However, nearly 20% had not reviewed these risks during the two year period, a possibly dangerous oversight.

Rapid development can make IT security a particularly difficult challenge. A confident 26% of respondents said that they completely understood the true risks involved. But 52% admitted that their understanding was only partial, while 17% said that they had little understanding of the true risks. Indeed, in response to the question on the extent that they considered they understood the risks, one respondent commented: ‘Not at all – I’m not sure that anyone here does’!

Interestingly, there was no great consensus on where respondents considered their organisations greatest IT-related risks lay. Fifty seven per cent mentioned loss of data, but after that views varied. For example, 36% cited virus infection, 23% internal fraud and theft of data, and 18% loss of power and deliberate external attack. Only 9% considered external fraud to be a serious threat.

Other key risks mentioned by individual respondents included:

- infrastructure disaster

- loss of system availability

- too much reliance on very few key employees

- collapse of system

- phishing

- sub optimal investment in IT.

“Rapid development can make IT security a particularly difficult challenge

Use of specialist consultants to advise on managing IT risk is fairly widespread. In the last two years, over three-quarters of respondents had taken this route. Far fewer (16%) had consulted their insurance brokers. While most of those seeking outside help (73%) were happy with the quality of the assistance provided, an alarming 27% were not.

There were some interesting comments on the role or level of usefulness of external consultants in IT security.

- While external consultants are technically competent, their lack of general business knowledge prevents them being 100% effective.

- As with any consultants, they have a role to play – generating ideas, helping with best practice, helping conduct reviews and raising issues that are not listened to from internal sources.

- External consultants are useful provided you work fully in partnership with them and discuss all risks – when you hide a risk it comes back as a reality, which undermines not just the IT systems alone, but all management systems.

- As with all consultants, their role needs to be well defined in advance.

- They are vital – you could never hope to keep up to date with all the issues yourself, and you need an element of independence.

- Basically, here in Spain, those consultants are prepared to sell new software programs, but they are not prepare to advise.

- They tend to focus on technical/ external issues, with not enough attention on organisational/internal issues.

- Very important as they are not part of the management structure and provide totally independent advice.

- IT security is a discipline in its own right so for a large firm consultants are essential.

Should laws change?

Companies are clearly focusing internally on IT risk management, but would they be assisted by external measures such as ‘better’ laws? We asked whether respondents believed that national or international laws needed to be tightened to improve IT security protection. Seventy two per cent considered they should, with 11% calling for a dramatic tightening and 46% for significant improvements.

Further comments on legal measures included the following:

- Legislation needs to keep pace, not only with IT but with the methodologies used to exploit IT vulnerabilities. Just two years ago the biggest problem was piracy. Today the biggest problem is the proliferation of organised crime.

- Theft of IT intelligence should carry similar penalties to other thefts.

- It is hard for legislation to keep pace.

- I see IT security as a cultural risk against which one can’t legislate.